Google has disabled functionality that let it install advertising cookies on …

The Consumer Watchdog advocacy group today asked the Federal Trade Commission to investigate whether Google violated a previous privacy agreement with the FTC by tracking cookies in a way that circumvents default privacy settings in Apple's Safari browser.

Google's method of getting around Safari's default blockage of third-party cookies was detailed today in a study by Stanford grad student Jonathan Mayer and in twoarticles in the Wall Street Journal. One Journal headline calls it "Google's iPhone tracking," but the technique actually works across iPhones, iPads, iPod touches, and desktop computers. After being contacted by the Journal, Google disabled the code that had allowed it to install tracking cookies on Safari, even though the browser is designed to block such cookies by default.

Google says it was unintentional, but this is also concerning—the advertising cookies spread without Google even realizing it.

The code used by Google was part of its program to place the "+1" button in advertisements. As the Journal explains, "Safari generally blocks cookies that come from elsewhere—such as advertising networks or other trackers. But there are exceptions to this rule, including that if you interact with an advertisement or form in certain ways, it’s allowed to set a cookie even if you aren’t technically visiting the site. Google’s code, which was placed on certain ads that used the company’s DoubleClick ad technology... took advantage of this loophole."

Three additional advertising companies—Vibrant Media, Media Innovation Group, and PointRoll—were accused of doing the same thing.

Google blames Safari functionality, says cookies spread by accident

In a statement sent to Ars, Google's Senior VP of Communications and Public Policy, Rachel Whetstone, stressed that the advertising cookies did not collect any personal information, that they were an unintentional byproduct of Google adding new functionality for signed-in Google users on Safari, and that Google has now disabled these particular advertising cookies.

The Google statement makes it clear that the tracking cookie placement was specific to Safari, and that the browser contains functionality that allowed it to happen without Google even realizing it.

The full Google statement reads as follows:

"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.

Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to '+1' things that interest them.

To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous—effectively creating a barrier between their personal information and the web content they browse.

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.

Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager."

The Journal notes an update to Webkit that closes the loophole—and was prepared by two Google engineers—could be incorporated into future versions of Safari. An Apple spokesperson told Ars that "We are aware that some third parties are circumventing Safari’s privacy features and we are working to put a stop to it.”

Consumer Watchdog: Google tricked Safari users

But Google still faces that FTC complaint from Consumer Watchdog. The FTC doesn't typically reveal when it conducts an investigation, so we don't know how seriously the complaint will be taken. But Consumer Watchdog Privacy Project Director John Simpson claimed in a letter to FTC Chairman Jon Leibowitz that Google's action's violate the "Buzz Consent Agreement," which requires Google to get consent from users any time it changes its services in a way that results in the sharing of more information.

Simpson blasted Google for giving "false advice" to Safari users regarding the ability to permanently opt out of receiving targeted advertising. "Google has developed a so-called browser 'plugin' for Internet Explorer, Firefox, and Google Chrome that makes the opt-out persistent," Simpson wrote. "Google has not developed a plugin for Safari." Instead, Google tells Safari users "While we don’t yet have a Safari version of the Google advertising cookie opt-out plugin, Safari is set by default to block all third-party cookies. If you have not changed those settings, this option effectively accomplishes the same thing as setting the opt-out cookie."

Simpson's letter to the FTC concludes by saying that all four advertising companies identified by Mayer's research should be investigated, but "Given Google’s dominance of online and mobile advertising and the fact that the company’s actions flagrantly violate its consent agreement with the Commission, I call on you to focus immediate attention on the Internet giant."

It's very simple: Google is evil. Once you start looking at them through that lens, everything they do will start making perfect sense.

I've been de-googlifying myself for the past 6 months and about the only piece of their tech I still use is YouTube. I've found excellent substitutes for everything else.

Now that they have that new "short & evil" privacy policy that gives them right to track & correlate all the data they have on you, it's paramount that you curtail your usage of Google products. Android really is a "spy in your pocket" now.

It's interesting how many privacy intrusions Google commits "accidentally." Wi-fi password and private data collection? Accidental. Private Buzz contact info made public without consent? Accidental. Furtively installing tracking cookies on devices by exploiting a loophole? Accidental. I'm wondering how one "accidentally" writes and deploys code that only works by targeting and exploiting a security loophole. When Anonymous or botnets exploit a security loophole to get what they want, it's called hacking (correctly). What is it when Google does it? Right, an accident.

Google's MO is to always do what it wants but apologize and claim it was an accident if caught. Rinse, repeat when the next privacy violation comes along in a couple months.

Please remember that YOU ARE NOT GOOGLE'S Customer. The ADVERTISER IS.

Their software is provided to you so that their paying Customers can advertise to you....

Ok, we get it. Y'all don't need to keep trotting this out every time a company giving away free services does something some users don't like. Just because we're not giving them money doesn't mean our opinions don't matter.

It's interesting how many privacy intrusions Google commits "accidentally." Wi-fi data collection? Accidental. Private Buzz contact info made public without consent? Accidental. Furtively installing tracking cookies on devices by exploiting a loophole? Accidental. I'm wondering how one "accidentally" writes code that deliberately targets a loophole. Google's MO - do what it wants first, if caught, apologize, claim it was an accident and retract. Rinse, repeat when the next privacy violation comes along in a couple months.

Seriously, this seems to be their excuse for everything. "Oops...did we do that? Sorry...my bad...won't happen again....was an accident....these things happen....sorry".

Please remember that YOU ARE NOT GOOGLE'S Customer. The ADVERTISER IS.

Their software is provided to you so that their paying Customers can advertise to you....

Ok, we get it. Y'all don't need to keep trotting this out every time a company giving away free services does something some users don't like. Just because we're not giving them money doesn't mean our opinions don't matter.

Folks shouldn't be shocked they will do everything they can to collect data and provide it to their customers (Advertisers)

This was fixed by Google engineers in the WebKit code base so I don't think there was any bad overall corporate intent on Google's part. On the other hand, I don't buy this "The Journal mischaracterizes what happened and why" from Google. I'd say some people at DoubleClick intentionally subverted Safari's privacy settings. The corporation needs to be held accountable but there's no reason to infer "evil" corporate policy.

Most likely an honest mistake on Google’s part. Can’t give them a complete pass though; Google engineers submitting a fix 7 months ago means there was knowledge on some level at Google this loophole existed.

Sticky times for companies right now balancing that line of functionality/features and privacy. I don’t envy anyone working on sufficiently complex projects that interact online … oh wait that’s me.

Please remember that YOU ARE NOT GOOGLE'S Customer. The ADVERTISER IS.

Their software is provided to you so that their paying Customers can advertise to you....

Ok, we get it. Y'all don't need to keep trotting this out every time a company giving away free services does something some users don't like. Just because we're not giving them money doesn't mean our opinions don't matter.

Folks shouldn't be shocked they will do everything they can to collect data and provide it to their customers (Advertisers)

I am a customer of Google (an advertiser) and they don't give me data collected about their users, they use the data to target adverts.

Most likely an honest mistake on Google’s part. Can’t give them a complete pass though; Google engineers submitting a fix 7 months ago means there was knowledge on some level at Google this loophole existed.

Sticky times for companies right now balancing that line of functionality/features and privacy. I don’t envy anyone working on sufficiently complex projects that interact online … oh wait that’s me.

I'm not sure how it can be a mistake... From what I've read, you'd need to carefully design this to bypass the normal protections.

Wait, so google found out that webkit wasn't working right, took the time to submit the fix, 7 months later, nobody has implemented said fix, and google gets a FTC complaint against THEM? How about a complaint about Safari advertising that it blocks cookies when, in fact, it wasn't?

Jebus people, take off your tinfoil hats more often, it has started damaging your brain cells.

But GOOGLE is using COOKIES to track my BRAIN. Random CAPITALIZATION.

Sounds like it's an issue on Safari's end. They turned off cookies then created the exceptions, the exceptions then did more than Google could foresee.

Companies don't test for every single contingency, they do what they want to do and that's it, in this case they wanted cookies with Safari, Safari allows that so they went for it. A flaw arose and Google and Apple will react. Personally I wish Apple would just actually block cookies, rather than saying they are and allowing some, it creates a problem for a user who thinks they're not accepting any when they are.

Please remember that YOU ARE NOT GOOGLE'S Customer. The ADVERTISER IS.

Their software is provided to you so that their paying Customers can advertise to you....

Ok, we get it. Y'all don't need to keep trotting this out every time a company giving away free services does something some users don't like. Just because we're not giving them money doesn't mean our opinions don't matter.

Folks shouldn't be shocked they will do everything they can to collect data and provide it to their customers (Advertisers)

I am a customer of Google (an advertiser) and they don't give me data collected about their users, they use the data to target adverts.

I'm no great fan of Google but please get the facts straight...

I stated they collected data not personal information which is a simple fact

Wait, so google found out that webkit wasn't working right, took the time to submit the fix, 7 months later, nobody has implemented said fix, and google gets a FTC complaint against THEM? How about a complaint about Safari advertising that it blocks cookies when, in fact, it wasn't?

I think it's good that things like this are caught. Whether intentional or not, this is a good learning experience for all parties interested in using cookies.

The only sure-fire way to understand how Safari works, however, is to release the code to the public. There, it may be scrutinized to avoid accidentally circumventing security measures. This will place the full onus on said companies who would have no basis to claim ignorance.

Please remember that YOU ARE NOT GOOGLE'S Customer. The ADVERTISER IS.

Their software is provided to you so that their paying Customers can advertise to you....

Ok, we get it. Y'all don't need to keep trotting this out every time a company giving away free services does something some users don't like. Just because we're not giving them money doesn't mean our opinions don't matter.

Folks shouldn't be shocked they will do everything they can to collect data and provide it to their customers (Advertisers)

I am a customer of Google (an advertiser) and they don't give me data collected about their users, they use the data to target adverts.

I'm no great fan of Google but please get the facts straight...

Google's *customer* is itself, in getting its cut of AdWords bucks from advertisers. Users are way on down the chain, of course. Insofar as Google "doing right" by supposedly fixing the problem, I'm not sure. But I'm convinced that it's not "Google-bashing" to say they did wrong.

Yes, I realize that Google doesn't operate as a pro-bono enterprise, but at a certain point, I draw the line: honesty. I had opted out: I chose opting out of all advertising arenas on the Google search options. And Google's statement said, clearly, "Last year, WE began using this functionality to enable features for signed-in Google users on Safari." [emphasis mine, to highlight who took action]

Wait, so google found out that webkit wasn't working right, took the time to submit the fix, 7 months later, nobody has implemented said fix, and google gets a FTC complaint against THEM? How about a complaint about Safari advertising that it blocks cookies when, in fact, it wasn't?

So if a thief breaks the lock on your house and steal some things, it's the lock company's fault for not making an impenetrable door?

No one forced Google to exploit this loophole, they did it on their own. And I'm not aware of any countdown clock that says if a loophole isn't fixed in X time, anyone is free to go ahead and exploit it. The onus is on everyone to both fix flaws quickly AND to refrain from exploiting them. Why do you think the burden falls solely on one party and Google bears no responsible for THEIR actions?

Reputable companies don't exploit loopholes just because they exist, especially since just about every software out there has them.

Really? You're going to hit them with something they came forward and willingly admitted they found to be done in error with a public request to the government as to how the data should be destroyed?

-1 for you.

Yep since there was nothing "willing" about their admission or accidental about their coding. Google first denied their trucks did any wi-fi snooping. Then they said it was purely anonymous and it was just wi-fi location info. Then they admitted that yeah, we picked up passwords and other personal data. Then they tried to tell authorities they didn't need to investigate, we'll just delete the data, problem solved. At every stage of that investigation, they had to be dragged kicking and screaming to their "willing" admission by persistent privacy authorities, mainly in Europe, who refused to accept Google's assurance.

And yeah, it's still relevant today since it fits a pattern of behavior of how Google operates. Over and over, their privacy violations are "accidental." Fool me once, shame on you...

And it's worth pointing out, Google only stopped this tracking exploit after the WSJ told them they were going to run a story about it. It doesn't count as "willing" when you stop something after getting bad press. Hey, while we're patting Google on the back for their exemplary behavior, let's also give Path a gold star for "willingly" ending their privacy breach after media exposure!

You can get up in arms when they are doing something they are not supposed to be doing...Sound fair?

Which completely misses the point of the criticism, which is the way Google collected data here (surreptitiously, without consent and exploiting a loophole to override the default security block). It's not a question of what Google is doing but HOW. Sound fair?

And it's definitely not Google's business to collect data in violation of privacy laws or legal consent decrees, which is an important angle to the allegations here.

Really? You're going to hit them with something they came forward and willingly admitted they found to be done in error with a public request to the government as to how the data should be destroyed?

-1 for you.

Yep since there was nothing "willing" about their admission or accidental about their coding. Google first denied their trucks did any wi-fi snooping. Then they said it was purely anonymous and it was just wi-fi location info. Then they admitted that yeah, we picked up passwords and other personal data. Then they tried to tell authorities they didn't need to investigate, we'll just delete the data, problem solved. At every stage of that investigation, they had to be dragged kicking and screaming to their "willing" admission by persistent privacy authorities, mainly in Europe, who refused to accept Google's assurance.

And yeah, it's still relevant today since it fits a pattern of behavior of how Google operates. Over and over, their privacy violations are "accidental." Fool me once, shame on you...

And it's worth pointing out, Google only stopped this tracking exploit after the WSJ told them they were going to run a story about it. It doesn't count as "willing" when you stop something after getting bad press. Hey, while we're patting Google on the back for their exemplary behavior, let's also give Path a gold star for "willingly" ending their privacy breach after media exposure!

Article I read must have been spun in Google's favor, then, because I read that Google voluntarily came forward with the information as to what had been collected and requested feedback as to how it should be disposed of.

With a glaring loophole like the one Apple left in their cookie setup, they expected it to (a) not be incidentally taken advantage of and (b) not to be deliberately taken advantage of?

It wasn't a privacy feature. It was a bullet point pretending to be a privacy feature.

It's very much like the Windows 7 default UAC settings. It pretends to be a security setting, when in reality the whitelist breaks it of all real security and the resulting loophole renders it useless against actual malware writers. When malware abuses it, I'm not going to be saying "OMG they hackz0red Window's security!" It wasn't security in the first place.

The only sure-fire way to understand how Safari works, however, is to release the code to the public. There, it may be scrutinized to avoid accidentally circumventing security measures. This will place the full onus on said companies who would have no basis to claim ignorance.

The loophole that permitted this was fixed by Google engineers in the public WebKit source. Granted, there are parts of Safari (mostly the UI I believe) that aren't public source but that's not the case here.

Of course, I suppose if you wanted to be contrary you could say the open source gave engineers at DoubleClick the opportunity to find the loophole and exploit it without disclosing it. Not that they necessarily used the source, but there is that possibility.

It's very much like the Windows 7 default UAC settings. It pretends to be a security setting, when in reality the whitelist breaks it of all real security and the resulting loophole renders it useless against actual malware writers. When malware abuses it, I'm not going to be saying "OMG they hackz0red Window's security!" It wasn't security in the first place.

One would like to hope that advertising code (especially from a company like Google) could be held to a higher standard than malware.

You can get up in arms when they are doing something they are not supposed to be doing...Sound fair?

Which completely misses the point of the criticism, which is the way Google collected data here (surreptitiously, without consent and exploiting a loophole to override the default security block). It's not a question of what Google is doing but HOW. Sound fair?

Exactly. By theJonTech's logic, Google could engage in widespread wiretapping, install keyloggers, and dig through everyone's household trash to collect credit card statements, and it would all be OK because "Google's business is to collect data."

Sorry, but some of us expect businesses to adhere to some moral and ethical standards. And we may not be "shocked" then they don't, but we reserve the right to be upset about it.